Home » ZyXEL Manuals » Networking » ZyXEL P-2602HW-D3A » Manual Viewer

ZyXEL P-2602HW-D3A User Guide - Page 369

Advanced Encryption Standard AES, Message Integrity Check MIC and IEEE 802.1x.

Get ZyXEL P-2602HW-D3A PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 369 highlights

P-2602H(W)(L)-DxA Series User's Guide For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 148 Comparison of EAP Authentication Types Mutual Authentication Certificate - Client Certificate - Server Dynamic Key Exchange Credential Integrity Deployment Difficulty Client Identity Protection EAP-MD5 No No No No None Easy No EAP-TLS Yes Yes Yes Yes Strong Hard No EAP-TTLS Yes Optional Yes Yes Strong Moderate Yes PEAP Yes Optional Yes Yes Strong Moderate Yes LEAP Yes No No Yes Moderate Moderate No WPA User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless stations using an external RADIUS database. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations. This all happens in the background automatically. AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. Appendix E Wireless LANs 369

Section	Page
P-2602HW(L) Series	1
P-2602H Series	1
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	5
ZyXEL Limited Warranty	6
Customer Support	7
Table of Contents	9
List of Figures	23
List of Tables	29
Preface	35
Getting To Know the ZyXEL Device	37
1.1 Introducing the P-2602H(W)(L)-Dx Series	37
1.2 Features	38
1.3 Wireless Features (“W” models only)	42
1.4 Applications for the ZyXEL Device	44
1.4.1 Internet Access	44
1.4.1.1 Internet Single User Account	44
1.4.2 Making Calls via Internet Telephony Service Provider	44
1.4.3 Make Peer-to-peer Calls	45
1.4.4 Firewall for Secure Broadband Internet Access	45
1.4.5 LAN to LAN Application	46
1.4.6 LEDs	47
Introducing the Web Configurator	49
2.1 Web Configurator Overview	49
2.1.1 Accessing the Web Configurator	49
2.1.2 The RESET Button	51
2.1.2.1 Using The Reset Button	51
2.2 Web Configurator Main Screen	52
2.2.1 Title Bar	52
2.2.2 Navigation Panel	53
2.2.3 Main Window	55
2.2.4 Status Bar	55
Internet and Wireless Setup Wizard	57
3.1 Introduction	57
3.2 Internet Access Wizard Setup	57
3.2.1 Manual Configuration	59
3.3 Wireless Connection Wizard Setup	65
VoIP Wizard And Example	71
4.1 Introduction	71
4.2 VoIP Wizard Setup	71
Bandwidth Management Wizard	77
5.1 Introduction	77
5.2 Predefined Media Bandwidth Management Services	77
5.3 Bandwidth Management Wizard Setup	78
Status Screens	83
6.2 Any IP Table	86
6.3 WLAN Status (“W” models only)	87
6.4 Packet Statistics	87
6.5 VoIP Statistics	89
WAN Setup	93
7.1.1 Encapsulation	93
7.1.1.1 ENET ENCAP	93
7.1.1.2 PPP over Ethernet	93
7.1.1.3 PPPoA	94
7.1.1.4 RFC 1483	94
7.1.2 Multiplexing	94
7.1.2.1 VC-based Multiplexing	94
7.1.2.2 LLC-based Multiplexing	94
7.1.3 VPI and VCI	94
7.1.4 IP Address Assignment	95
7.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation	95
7.1.4.2 IP Assignment with RFC 1483 Encapsulation	95
7.1.4.3 IP Assignment with ENET ENCAP Encapsulation	95
7.1.5 Nailed-Up Connection (PPP)	95
7.1.6 NAT	95
7.2 Metric	96
7.3 Traffic Shaping	96
7.3.1 ATM Traffic Classes	97
7.3.1.1 Constant Bit Rate (CBR)	97
7.3.1.2 Variable Bit Rate (VBR)	97
7.3.1.3 Unspecified Bit Rate (UBR)	98
7.4 Zero Configuration Internet Access	98
LAN Setup	107
8.1.1 LANs, WANs and the ZyXEL Device	107
8.1.2 DHCP Setup	108
8.1.2.1 IP Pool Setup	108
8.1.3 DNS Server Address	108
8.1.4 DNS Server Address Assignment	109
8.2 LAN TCP/IP	109
8.2.1 IP Address and Subnet Mask	109
8.2.1.1 Private IP Addresses	110
8.2.2 RIP Setup	110
8.2.3 Multicast	111
8.2.4 Any IP	111
8.2.4.1 How Any IP Works	112
Wireless LAN	121
9.1 Wireless Network Overview	121
9.2 Wireless Security Overview	122
9.2.1 SSID	122
9.2.2 MAC Address Filter	122
9.2.3 User Authentication	123
9.2.4 Encryption	123
9.2.5 One-Touch Intelligent Security Technology (OTIST)	124
9.3 Wireless Performance Overview	124
9.3.1 Quality of Service (QoS)	124
9.4 Additional Wireless Terms	125
9.5.1 No Security	126
9.5.2 WEP Encryption Screen	127
9.5.3 WPA(2)-PSK	128
9.5.4 WPA(2) Authentication Screen	130
9.6.1 Notes on OTIST	135
Network Address Translation (NAT) Screens	141
10.1.1 NAT Definitions	141
10.1.2 What NAT Does	142
10.1.3 How NAT Works	142
10.1.4 NAT Application	143
10.1.5 NAT Mapping Types	143
10.2 SUA (Single User Account) Versus NAT	144
10.4 Port Forwarding	145
10.4.1 Default Server IP Address	146
10.4.2 Port Forwarding: Services and Port Numbers	146
10.4.3 Configuring Servers Behind Port Forwarding (Example)	146
Voice	151
11.1 Introduction to VoIP	151
11.2 SIP	151
11.2.1 SIP Identities	151
11.2.1.1 SIP Number	151
11.2.1.2 SIP Service Domain	152
11.2.2 SIP Call Progression	152
11.2.3 SIP Servers	152
11.2.3.1 SIP User Agent	153
11.2.3.2 SIP Proxy Server	153
11.2.3.3 SIP Redirect Server	154
11.2.3.4 SIP Register Server	154
11.3.1 RTP	156
11.4 Pulse Code Modulation	156
11.5 Voice Coding	156
11.5.1 G.711	156
11.5.2 G.729	156
11.6 PSTN Call Setup Signaling	157
11.7 MWI (Message Waiting Indication)	157
11.8 Custom Tones (IVR)	157
11.8.0.1 Recording Custom Tones	157
11.8.0.2 Listening to Custom Tones	158
11.8.0.3 Deleting Custom Tones	158
11.10 Quality of Service (QoS)	162
11.10.1 Type Of Service (ToS)	162
11.10.2 DiffServ	162
11.10.2.1 DSCP and Per-Hop Behavior	162
11.10.3 VLAN	163
11.11 Phone	164
11.12 PSTN Line (“L” models only)	164
11.12.1 Voice Activity Detection/Silence Suppression	164
11.12.2 Comfort Noise Generation	164
11.12.3 Echo Cancellation	164
11.15 Supplementary Phone Services Overview	168
11.15.1 The Flash Key	168
11.15.2 Europe Type Supplementary Phone Services	168
11.15.2.1 European Call Hold	169
11.15.2.2 European Call Waiting	169
11.15.2.3 European Call Transfer	169
11.15.2.4 European Three-Way Conference	170
11.15.3 USA Type Supplementary Services	170
11.15.3.1 USA Call Hold	170
11.15.3.2 USA Call Waiting	171
11.15.3.3 USA Call Transfer	171
11.15.3.4 USA Three-Way Conference	171
11.17 Speed Dial	172
11.17.1 Peer-to-Peer Calls	172
Phone Usage	179
12.1 Dialing a Telephone Number	179
12.2 Using Speed Dial to Dial a Telephone Number	179
12.3 Internal Calls	179
12.4 Checking the Device’s IP Address	179
12.5 Auto Firmware Upgrade	180
Firewalls	181
13.2 Types of Firewalls	181
13.2.1 Packet Filtering Firewalls	181
13.2.2 Application-level Firewalls	182
13.2.3 Stateful Inspection Firewalls	182
13.3 Introduction to ZyXEL’s Firewall	182
13.3.1 Denial of Service Attacks	183
13.4 Denial of Service	183
13.4.1 Basics	183
13.4.2 Types of DoS Attacks	184
13.4.2.1 ICMP Vulnerability	186
13.4.2.2 Illegal Commands (NetBIOS and SMTP)	186
13.4.2.3 Traceroute	187
13.5 Stateful Inspection	187
13.5.1 Stateful Inspection Process	188
13.5.2 Stateful Inspection on Your ZyXEL Device	188
13.5.3 TCP Security	189
13.5.4 UDP/ICMP Security	189
13.5.5 Upper Layer Protocols	190
13.6 Guidelines for Enhancing Security with Your Firewall	190
13.6.1 Security In General	190
13.7 Packet Filtering Vs Firewall	191
13.7.1 Packet Filtering:	191
13.7.1.1 When To Use Filtering	192
13.7.2 Firewall	192
13.7.2.1 When To Use The Firewall	192
Firewall Configuration	193
14.1 Access Methods	193
14.2 Firewall Policies Overview	193
14.3 Rule Logic Overview	194
14.3.1 Rule Checklist	194
14.3.2 Security Ramifications	194
14.3.3 Key Fields For Configuring Rules	195
14.3.3.1 Action	195
14.3.3.2 Service	195
14.3.3.3 Source Address	195
14.3.3.4 Destination Address	195
14.4 Connection Direction	195
14.4.1 LAN to WAN Rules	196
14.4.2 Alerts	196
14.7 Example Firewall Rule	203
14.8.1 Threshold Values	207
14.8.2 Half-Open Sessions	208
14.8.2.1 TCP Maximum Incomplete and Blocking Time	208
Content Filtering	211
Introduction to IPSec	215
16.1 VPN Overview	215
16.1.1 IPSec	215
16.1.2 Security Association	215
16.1.3 Other Terminology	215
16.1.3.1 Encryption	215
16.1.3.2 Data Confidentiality	216
16.1.3.3 Data Integrity	216
16.1.3.4 Data Origin Authentication	216
16.1.4 VPN Applications	216
16.2 IPSec Architecture	216
16.2.1 IPSec Algorithms	217
16.2.2 Key Management	217
16.3 Encapsulation	217
16.3.1 Transport Mode	218
16.3.2 Tunnel Mode	218
16.4 IPSec and NAT	218
VPN Screens	221
17.1 VPN/IPSec Overview	221
17.2 IPSec Algorithms	221
17.2.1 AH (Authentication Header) Protocol	221
17.2.2 ESP (Encapsulating Security Payload) Protocol	221
17.3 My IP Address	222
17.4 Secure Gateway Address	223
17.4.1 Dynamic Secure Gateway Address	223
17.6 Keep Alive	225
17.7 VPN, NAT, and NAT Traversal	226
17.8 Remote DNS Server	227
17.9 ID Type and Content	227
17.9.1 ID Type and Content Examples	229
17.10 Pre-Shared Key	229
17.12 IKE Phases	234
17.12.1 Negotiation Mode	235
17.12.2 Diffie-Hellman (DH) Key Groups	236
17.12.3 Perfect Forward Secrecy (PFS)	236
17.14 Manual Key Setup	239
17.14.1 Security Parameter Index (SPI)	239
17.18 Telecommuter VPN/IPSec Examples	244
17.18.1 Telecommuters Sharing One VPN Rule Example	244
17.18.2 Telecommuters Using Unique VPN Rules Example	245
17.19 VPN and Remote Management	247
Static Route	249
Bandwidth Management	253
19.2 Application-based Bandwidth Management	253
19.3 Subnet-based Bandwidth Management	253
19.4 Application and Subnet-based Bandwidth Management	254
19.5 Scheduler	254
19.5.1 Priority-based Scheduler	254
19.5.2 Fairness-based Scheduler	255
19.6 Maximize Bandwidth Usage	255
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	255
19.6.2 Maximize Bandwidth Usage Example	256
19.6.2.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth	256
19.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth	257
19.6.3 Bandwidth Management Priorities	257
Dynamic DNS Setup	263
20.1.1 DYNDNS Wildcard	263
Remote Management Configuration	267
21.1.1 Remote Management Limitations	267
21.1.2 Remote Management and NAT	268
21.1.3 System Timeout	268
21.3 Telnet	269
21.6.1 Supported MIBs	272
21.6.2 SNMP Traps	273
Universal Plug-and-Play (UPnP)	277
22.1.1 How do I know if I'm using UPnP?	277
22.1.2 NAT Traversal	277
22.1.3 Cautions with UPnP	278
22.2 UPnP and ZyXEL	278
22.3 Installing UPnP in Windows Example	279
22.4 Using UPnP in Windows XP Example	282
System	289
23.1 General Setup and System Name	289
Logs	295
24.1.1 Alerts and Logs	295
24.4 SMTP Error Messages	299
24.4.1 Example E-mail Log	299
Tools	301
25.1 Introduction	301
25.2 Filename Conventions	301
25.3 File Maintenance Over WAN	302
25.5.1 Backup Configuration	305
25.5.2 Restore Configuration	305
25.5.3 Reset to Factory Defaults	307
25.7 Using FTP or TFTP to Back Up Configuration	308
25.7.1 Using the FTP Commands to Back Up Configuration	308
25.7.2 FTP Command Configuration Backup Example	308
25.7.3 Configuration Backup Using GUI-based FTP Clients	309
25.7.4 Backup Configuration Using TFTP	309
25.7.5 TFTP Command Configuration Backup Example	310
25.7.6 Configuration Backup Using GUI-based TFTP Clients	310
25.8 Using FTP or TFTP to Restore Configuration	310
25.8.1 Restore Using FTP Session Example	311
25.9 FTP and TFTP Firmware and Configuration File Uploads	311
25.9.1 FTP File Upload Command from the DOS Prompt Example	311
25.9.2 FTP Session Example of Firmware File Upload	312
25.9.3 TFTP File Upload	312
25.9.4 TFTP Upload Command Example	313
Diagnostic	315
Troubleshooting	319
27.1 Problems Starting Up the ZyXEL Device	319
27.2 Problems with the LAN	319
27.3 Problems with the WAN	320
27.4 Problems Accessing the ZyXEL Device	321
27.4.1 Pop-up Windows, JavaScripts and Java Permissions	321
27.4.1.1 Internet Explorer Pop-up Blockers	322
27.4.1.2 JavaScripts	325
27.4.1.3 Java Permissions	327
27.5 Telephone Problems	329
27.6 Problems With Multiple SIP Accounts	330
27.6.1 Outgoing Calls	330
27.6.2 Incoming Calls	331
Product Specifications	333
Splitters and Microfilters	339
Setting up Your Computer’s IP Address	341
IP Addresses and Subnetting	353
Wireless LANs	361
Services	371
Firewall Commands	375
Triangle Route	377
Log Descriptions	381
Command Interpreter	393
Internal SPTGEN	395
Index	421
A	421
B	421
C	421
D	422
E	422
F	422
G	423
H	423
I	423
J	424
K	424
L	424
M	424
N	424
O	424
P	425
Q	425
R	425
S	426
T	426
U	427
V	427
W	427

Match case Limit results 1 per page

P-2602H(W)(L)-DxA Series User’s Guide

Appendix E Wireless LANs

369

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use

dynamic keys for data encryption. They are often deployed in corporate environments, but for

public deployment, a simple user name and password pair is more practical. The following

table is a comparison of the features of authentication types.

WPA

User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate

wireless stations using an external RADIUS database.

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or

Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication

server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named

Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is

never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up

a key hierarchy and management system, using the PMK to dynamically generate unique data

encryption keys to encrypt every data packet that is wirelessly communicated between the AP

and the wireless stations. This all happens in the background automatically.

AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES

applies a 128-bit key to 128-bit blocks of data.

Table 148

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

Yes

Certificate – Client

Yes

Optional

Certificate – Server

Yes

Dynamic Key Exchange

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity Protection

Yes